You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
> Please note this process is used in emergency situations when all other troubleshooting options via Azure have been exhausted. SSH access to these bare metal machines is restricted to users managed via this method from the specified jump host list.
16
16
17
-
There are rare situations where a user needs to investigate & resolve issues with a bare metal machine and all other ways using Azure have been exhausted. Operator Nexus provides the `az networkcloud cluster bmckeyset` command so users can manage SSH access to the baseboard management controller (BMC) on these bare metal machines. On keyset creation, users are validated agaisnt Azure Active Directory for proper authorization if a User Principal Name (UPN) is provided. For proper AAD authorization to occur, when creating new keyset a Azure Group ID must also be supplied with`--azure-group-id <Azure AAD Group ID>`.
17
+
There are rare situations where a user needs to investigate & resolve issues with a bare metal machine and all other ways using Azure have been exhausted. Operator Nexus provides the `az networkcloud cluster bmckeyset` command so users can manage SSH access to the baseboard management controller (BMC) on these bare metal machines. On keyset creation, users are validated against Microsoft Entra ID for proper authorization by cross referencing the User Principal Name provided for a user against the supplied Azure Group ID `--azure-group-id <Azure AAD Group ID>`.
18
18
19
-
> [!CAUTION]
20
-
> Not supplying a UPN is currently supported during keyset creation and update. After July 1st, 2024, if a UPN is not supplied for a user on keyset creation the user will marked invalid and will be unable to use their keyset. After the grace period date, if a UPN is not supplied for a user during keyset update the user will be marked invalid during reconciliation. In both creation and update scenarios, the keysets and the users are **NOT** deleted, simply invalidated. It is suggested that before July 1st, 2024, the steps are followed to re-create keysets with the UPN for users being provided.
19
+
> [!NOTE]
20
+
> Not supplying a UPN is currently supported during keyset creation and update. However in a future release enforcement of AAD validation is planned and if a UPN is not supplied for a user on keyset creation/update the user will marked invalid. A user marked invalid does not get deleted but, the user and the matching keyset will no longer be able to be used for SSH access. It is suggested that begin to follow steps to update or re-create keysets supplying UPN for users.
21
21
22
22
When the command runs, it executes on each bare metal machine in the Cluster with an active Kubernetes node. There's a reconciliation process that runs periodically that retries the command on any bare metal machine that wasn't available at the time of the original command. Also, any bare metal machine that returns to the cluster via an `az networkcloud baremetalmachine actionreimage` or `az networkcloud baremetalmachine actionreplace` command (see [BareMetal functions](./howto-baremetal-functions.md)) sends a signal causing any active keysets to be sent to the machine as soon as it returns to the cluster. Multiple commands execute in the order received.
23
23
@@ -54,8 +54,9 @@ az networkcloud cluster bmckeyset create \
54
54
--expiration <Expiration Timestamp> \
55
55
--jump-hosts-allowed <List of jump server IP addresses> \
56
56
--privilege-level <"Administrator" or "ReadOnly"> \
> Please note this process is used in emergency situations when all other troubleshooting options using Azure have been exhausted. SSH access to these bare metal machines is restricted to users managed via this method from the specified jump host list.
16
16
17
-
There are rare situations where a user needs to investigate & resolve issues with a bare metal machine and all other ways have been exhausted via Azure. Azure Operator Nexus provides the `az networkcloud cluster baremetalmachinekeyset` command so users can manage SSH access to these bare metal machines. On keyset creation, users are validated agaisnt Azure Active Directory for proper authorization if a User Principal Name (UPN) is provided. For proper AAD authorization to occur, when creating new keyset a Azure Group ID must also be supplied with`--azure-group-id <Azure AAD Group ID>`.
17
+
There are rare situations where a user needs to investigate & resolve issues with a bare metal machine and all other ways have been exhausted via Azure. Azure Operator Nexus provides the `az networkcloud cluster baremetalmachinekeyset` command so users can manage SSH access to these bare metal machines. On keyset creation, users are validated against Microsoft Entra ID for proper authorization by cross referencing the User Principal Name provided for a user against the supplied Azure Group ID `--azure-group-id <Azure AAD Group ID>`.
18
18
19
-
> [!CAUTION]
20
-
> Not supplying a UPN is currently supported during keyset creation and update. After July 1st, 2024, if a UPN is not supplied for a user on keyset creation the user will marked invalid and will be unable to use their keyset. After the grace period date, if a UPN is not supplied for a user during keyset update the user will be marked invalid during reconciliation. In both creation and update scenarios, the keysets and the users are **NOT** deleted, simply invalidated. It is suggested that before July 1st, 2024, the steps are followed to re-create keysets with the UPN for users being provided.
19
+
> [!NOTE]
20
+
> Not supplying a UPN is currently supported during keyset creation and update. However in a future release enforcement of AAD validation is planned and if a UPN is not supplied for a user on keyset creation/update the user will marked invalid. A user marked invalid does not get deleted but, the user and the matching keyset will no longer be able to be used for SSH access. It is suggested that begin to follow steps to update or re-create keysets supplying UPN for users.
21
21
22
22
When the command runs, it executes on each bare metal machine in the Cluster with an active Kubernetes node. There's a reconciliation process that runs periodically that retries the command on any bare metal machine that wasn't available at the time of the original command. Also, any bare metal machine that returns to the cluster via an `az networkcloud baremetalmachine actionreimage` or `az networkcloud baremetalmachine actionreplace` command (see [BareMetal functions](./howto-baremetal-functions.md)) sends a signal causing any active keysets to be sent to the machine as soon as it returns to the cluster. Multiple commands execute in the order received.
23
23
@@ -27,7 +27,7 @@ There's no limit to the number of users in a group.
27
27
> Notes for jump host IP addresses
28
28
29
29
- The keyset create/update process adds the jump host IP addresses to the IP tables for each machine in the Cluster. This restricts SSH access to be allowed only from those jump hosts.
30
-
- It's important to specify the Cluster facing IP addresses for the jump hosts. These IP addresses may be different than the public facing IP address used to access the jump host.
30
+
- It's important to specify the Cluster facing IP addresses for the jump hosts. These IP addresses might be different than the public facing IP address used to access the jump host.
31
31
- Once added, users are able to access bare metal machines from any specified jump host IP including a jump host IP defined in another bare metal machine keyset group.
32
32
- Existing SSH access remains when adding the first bare metal machine keyset. However, the keyset command limits an existing user's SSH access to the specified jump host IPs in the keyset commands.
33
33
@@ -64,7 +64,8 @@ az networkcloud cluster baremetalmachinekeyset create \
64
64
--os-group-name <Name of the Operating System Group> \
65
65
--privilege-level <"Standard" or "Superuser"> \
66
66
--user-list '[{"description":"<User List Description>","azureUserName":"<User Name>",\
67
-
"sshPublicKey":{"keyData":"<SSH Public Key>"}}]' \
67
+
"sshPublicKey":{"keyData":"<SSH Public Key>"}, \
68
+
"userPrincipalName":""}]', \
68
69
--tags key1=<Key Value> key2=<Key Value> \
69
70
--cluster-name <Cluster Name> \
70
71
--resource-group <Resource Group>
@@ -105,6 +106,7 @@ az networkcloud cluster baremetalmachinekeyset create \
105
106
azure-user-name: Required. User name used to login to the server.
106
107
description: The free-form description for this user.
107
108
key-data: Required. The public ssh key of the user.
109
+
userPrincipalName: Optional. The User Principal Name of the User.
108
110
109
111
Multiple users can be specified by using more than one --user-list argument.
110
112
--os-group-name : The name of the group that users are assigned
@@ -153,8 +155,8 @@ az networkcloud cluster baremetalmachinekeyset create \
153
155
--jump-hosts-allowed "192.0.2.1" "192.0.2.5" \
154
156
--os-group-name "standardAccessGroup" \
155
157
--privilege-level "Standard" \
156
-
--user-list '[{"description":"Needs access for troubleshooting as a part of the support team","azureUserName":"userABC", "sshPublicKey":{"keyData":"ssh-rsa AAtsE3njSONzDYRIZv/WLjVuMfrUSByHp+jfaaOLHTIIB4fJvo6dQUZxE20w2iDHV3tEkmnTo84eba97VMueQD6OzJPEyWZMRpz8UYWOd0IXeRqiFu1lawNblZhwNT/ojNZfpB3af/YDzwQCZgTcTRyNNhL4o/blKUmug0daSsSXISTRnIDpcf5qytjs1XoyYyJMvzLL59mhAyb3p/cD+Y3/s3WhAx+l0XOKpzXnblrv9d3q4c2tWmm/SyFqthaqd0= admin@vm"}},\
157
-
{"description":"Needs access for troubleshooting as a part of the support team","azureUserName":"userXYZ","sshPublicKey":{"keyData":"ssh-rsa AAtsE3njSONzDYRIZv/WLjVuMfrUSByHp+jfaaOLHTIIB4fJvo6dQUZxE20w2iDHV3tEkmnTo84eba97VMueQD6OzJPEyWZMRpz8UYWOd0IXeRqiFu1lawNblZhwNT/ojNZfpB3af/YDzwQCZgTcTRyNNhL4o/blKUmug0daSsSXTSTRnIDpcf5qytjs1XoyYyJMvzLL59mhAyb3p/cD+Y3/s3WhAx+l0XOKpzXnblrv9d3q4c2tWmm/SyFqthaqd0= admin@vm"}}]' \
158
+
--user-list '[{"description":"Needs access for troubleshooting as a part of the support team","azureUserName":"userABC", "sshPublicKey":{"keyData":"ssh-rsa AAtsE3njSONzDYRIZv/WLjVuMfrUSByHp+jfaaOLHTIIB4fJvo6dQUZxE20w2iDHV3tEkmnTo84eba97VMueQD6OzJPEyWZMRpz8UYWOd0IXeRqiFu1lawNblZhwNT/ojNZfpB3af/YDzwQCZgTcTRyNNhL4o/blKUmug0daSsSXISTRnIDpcf5qytjs1XoyYyJMvzLL59mhAyb3p/cD+Y3/s3WhAx+l0XOKpzXnblrv9d3q4c2tWmm/SyFqthaqd0= admin@vm"},"userPrincipalName":"[email protected]"},\
159
+
{"description":"Needs access for troubleshooting as a part of the support team","azureUserName":"userXYZ","sshPublicKey":{"keyData":"ssh-rsa AAtsE3njSONzDYRIZv/WLjVuMfrUSByHp+jfaaOLHTIIB4fJvo6dQUZxE20w2iDHV3tEkmnTo84eba97VMueQD6OzJPEyWZMRpz8UYWOd0IXeRqiFu1lawNblZhwNT/ojNZfpB3af/YDzwQCZgTcTRyNNhL4o/blKUmug0daSsSXTSTRnIDpcf5qytjs1XoyYyJMvzLL59mhAyb3p/cD+Y3/s3WhAx+l0XOKpzXnblrv9d3q4c2tWmm/SyFqthaqd0= admin@vm"}, "userPrincipalName":"[email protected]"}]' \
158
160
--tags key1="myvalue1" key2="myvalue2" \
159
161
--cluster-name "clusterName"
160
162
--resource-group "resourceGroupName"
@@ -210,7 +212,8 @@ az networkcloud cluster baremetalmachinekeyset update \
210
212
--jump-hosts-allowed <List of jump server IP addresses> \
211
213
--privilege-level <"Standard" or "Superuser"> \
212
214
--user-list '[{"description":"<User List Description>","azureUserName":"<User Name>",\
213
-
"sshPublicKey":{"keyData":"<SSH Public Key>"}}]' \
215
+
"sshPublicKey":{"keyData":"<SSH Public Key>"}, \
216
+
"userPrincipalName":""}]', \
214
217
--tags key1=<Key Value> key2=<Key Value> \
215
218
--cluster-name <Cluster Name> \
216
219
--resource-group <Resource Group>
@@ -237,6 +240,7 @@ az networkcloud cluster baremetalmachinekeyset update \
237
240
azure-user-name: Required. User name used to login to the server.
238
241
description: The free-form description for this user.
239
242
key-data: Required. The public SSH key of the user.
243
+
userPrincipalName: Optional. The User Principal Name of the User.
240
244
241
245
Multiple users can be specified by using more than one --user-list argument.
242
246
--resource-group -g [Required] : Name of resource group. Optional if
@@ -256,9 +260,13 @@ az networkcloud cluster baremetalmachinekeyset update \
256
260
--name "bareMetalMachineKeySetName" \
257
261
--expiration "2023-12-31T23:59:59.008Z" \
258
262
--user-list '[{"description":"Needs access for troubleshooting as a part of the support team",\
0 commit comments